fix: ReDos regex vulnerability, reported by @dayshift (#741)

wolfy1339 · web-flow · commit 356411e32170 · 2025-02-14T16:08:08.000-08:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -23,8 +23,8 @@
   "author": "Gregor Martynus (https://github.com/gr2m)",
   "license": "MIT",
   "dependencies": {
-    "@octokit/endpoint": "^9.0.1",
-    "@octokit/request-error": "^5.1.0",
+    "@octokit/endpoint": "^9.0.6",
+    "@octokit/request-error": "^5.1.1",
     "@octokit/types": "^13.1.0",
     "universal-user-agent": "^6.0.0"
   },
diff --git a/src/fetch-wrapper.ts b/src/fetch-wrapper.ts
@@ -56,7 +56,7 @@ export default function fetchWrapper(
 
       if ("deprecation" in headers) {
         const matches =
-          headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
+          headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/);
         const deprecationLink = matches && matches.pop();
         log.warn(
           `[@octokit/request] "${requestOptions.method} ${
diff --git a/test/request.test.ts b/test/request.test.ts
@@ -18,6 +18,33 @@ const userAgent = `octokit-request.js/0.0.0-development ${getUserAgent()}`;
 const stringToArrayBuffer = require("string-to-arraybuffer");
 
 describe("request()", () => {
+  it("Test ReDoS - attack string", () => {
+    const fakeFetch = async (url: string, options?: RequestInit) => {
+      const response = await fetch(url, options);
+      const fakeHeaders = new Headers(response.headers);
+      fakeHeaders.set("link", "<".repeat(100000) + ">");
+      fakeHeaders.set("deprecation", "true");
+      return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: fakeHeaders,
+      });
+    };
+    const startTime = performance.now();
+    request("GET /repos/octocat/hello-world", {
+      request: { fetch: fakeFetch },
+    });
+    const endTime = performance.now();
+    const elapsedTime = endTime - startTime;
+    const reDosThreshold = 2000;
+    expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold);
+    if (elapsedTime > reDosThreshold) {
+      console.warn(
+        `🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`,
+      );
+    }
+  });
+
   it("is a function", () => {
     expect(request).toBeInstanceOf(Function);
   });
